Protiviti study on IT auditing raises more questions than it answers
There’s a new Protiviti study. Their 2011 IT Audit Benchmarking Survey summarizes the input from nearly 500 professionals and makes a number of observations.
Before getting into those observations, I have a couple of my own:
- The report talks about IT risks – but there is no such thing as an IT risk, only business risks due to a failure of technology. These days, talking separately (from business auditing) about IT audit and IT risks is somewhat ‘old-fashioned’. Companies are now talking more about business risk and the role of IT as both an enabler of solutions and a source of issues. The trend is towards building an audit plan that addresses those business risks and will probably have fewer pure IT audits as a result.
- Most of the issues raised in the report (such as the fact that auditors struggle to keep up with technology) are ages-old. I have been in the profession since 1980 and they were problems then!
Here are their “key trends and takeaways”, with my comments.
“The growth and prevalence of technology throughout most operations in a company are outpacing the assessment, management and monitoring of related IT risks.”
- This has been the case since man discovered fire – and the risk of burns came later
- The report did not address whether IT auditors are involved in change projects, whether these are major new ERP implementations, moving infrastructure or applications to the crowd, or the embracing of social media and mobile. Maybe that can be included in the next survey
“IT risks do not garner nearly enough attention in organizations today, and in small companies in particular.”
- IT is a source of business risk, not a risk in-and-of-itself. The study, I think, should have considered whether the internal audit function was looking at business risks – and considering the IT impact as part of that activity
- The Protiviti statement may or may not be correct. Intuitively, as an IT auditor since (it seems) the dawn of computing, I think it is probably correct. But, the level of resources allocated to IT issues should be commensurate with the level of risk and balanced against the need to address other sources of risk.
- In smaller companies (especially), the auditor has to take on all aspects of risk – including IT-related issues. He may be supplemented with co-sourcing.
“A large percentage of companies are not complying with IIA Standard 2110.A2, which requires the internal audit function (usually through IT audit) to assess whether the organization’s information technology governance sustains and supports its strategies and objectives.”
- A large part of IT governance activities may be included as part of the audits of IT general controls (which the study shows is allocated a large level of resources).
- Even though the Standards require this, a risk-based planning exercise may have identified this as a lower risk area – and it would have been appropriate, therefore, not to include it in the plan.
- The main standard here, 2110, requires internal audit to assess governance processes in general. That is even more of a problem (fewer assess and report on more than a couple of governance processes) than IT governance.
“Many organizations do not have the requisite skills and capabilities to assess their key IT risks adequately.”
- See above. There is no such thing as an IT risk, let alone a key IT risk. And, keeping up with technology is a problem for the ages.
“A surprisingly large number of organizations fail to conduct an annual IT risk assessment.”
- Good! They should be assessing business risk and not IT risk.
- Good! It should be a continuing and not an annual process.
“IT audit functions in North America invest significantly more time on compliance-related activities than these functions do in other regions of the world.”
- That may or may not be OK. It all depends on where a business risk-based audit program says the resources should be spent.
What do you think? I would appreciate your comments.
Recent Posts on this Blog
- The risk of material errors in the quarterly financial statements March 10, 2017
- Is your compliance program strong enough? March 4, 2017
- Embedding risk into strategic planning and more February 25, 2017
- Cyber and reputation risk are dominoes February 18, 2017
- The current state of risk management February 11, 2017
- When an acceptable level of risk is not acceptable February 4, 2017
- How to mess up your risk management program January 28, 2017
- The value of a risk register January 21, 2017
- Risk in the Fourth Dimension January 15, 2017
- How much cyber risk should an organization take? January 7, 2017
- The real risks: the ones not in the typical list of top risks December 31, 2016
- An expert shares his views on the future of risk management December 18, 2016
- Selecting software to help manage user access risk December 17, 2016
- User access risk and SOX compliance December 12, 2016
- Risk and Culture December 9, 2016
- The Idea of a Unified Risk Oversight Council March 10, 2017
- The Integration of Governance, Risk, Compliance, and Related Activities March 6, 2017
- Cybersecurity Effectiveness February 27, 2017
- Cyber Root Cause Alarm Bells Are Ringing February 20, 2017
- Reports That Provide Actionable Information February 14, 2017
- What Is Holding the Company Back? February 6, 2017
- Do Internal Audit Reports Matter? February 1, 2017
- Monitoring Laws and Regulations and Their Effect on Your Organization January 24, 2017
- An Important Cyberrisk Framework January 16, 2017
- Deloitte Shares a List of "Risk" Trends to Watch in 2017 and Beyond January 9, 2017